<![CDATA[[Solved] need to add an upstream certificate for my FW.]]>So, here's a new one.

I'm running pfSense in my test lab to mess with virtual routing and SDNs. My internet connection is provided by my school so I'm dealing with their MITM certificate for our Fortigate FW.

I added the certificate to the system via CAs in the certs menu of the webconfigurator, but when trying to check for updates the system says it's up to date (which I know it's not), and when trying to update from console I get this:

>>> Updating repositories metadata...
Updating pfSense-core repository catalogue...
pkg-static: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-core/meta.txz: Authentication error
repository pfSense-core has no meta file, using default settings
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-core/packagesite.txz: Authentication error
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg-static: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-pfSense_v2_4_2/meta.txz: Authentication error
repository pfSense has no meta file, using default settings
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-pfSense_v2_4_2/packagesite.txz: Authentication error
Unable to update repository pfSense

I understand this isn't a normal requirement, but I'm not sure where to go from here, I've even tried amending the certificate to```
/usr/local/share/certs/ca-root-nss.crt


TLDR: I need to install a root CA but I can't for the life of me get pfSense to accept the certificate as valid.
]]>https://forum.netgate.com/topic/125582/solved-need-to-add-an-upstream-certificate-for-my-fwRSS for NodeSat, 18 Apr 2026 07:04:45 GMTWed, 10 Jan 2018 18:21:20 GMT60<![CDATA[Reply to [Solved] need to add an upstream certificate for my FW. on Thu, 11 Jan 2018 13:47:57 GMT]]>So, solution update. Editing the files via the webconfigurator was my problem. It seems as though the editor was saving blank files instead of my changes, and as such nothing was working. I edited the files with VI and the cert was accepted into the system. I do still have a issue with a different upstream cert, but I can fix that based on my fix with this one.

Thanks for everyone's help, I'll try to add a guide on my site for this because I couldn't find anywhere online that referenced both files.

]]>https://forum.netgate.com/post/745385https://forum.netgate.com/post/745385Thu, 11 Jan 2018 13:47:57 GMT<![CDATA[Reply to [Solved] need to add an upstream certificate for my FW. on Thu, 11 Jan 2018 13:01:41 GMT]]>@Grimson:

@ipat8:

So I did this, and now both files are empty…..

pfSense doesn't empty them, it might overwrite them during an update but nothing more than that. So take the backup you made (you did backup these files before editing them, didn't you?) and try again.

It's a VM, I'll just reinstall, but moreover, they are empty, and the templates are empty as well. I edited them through the webUI, so I'll try with vi and see if that makes a difference.

]]>https://forum.netgate.com/post/745367https://forum.netgate.com/post/745367Thu, 11 Jan 2018 13:01:41 GMT<![CDATA[Reply to [Solved] need to add an upstream certificate for my FW. on Wed, 10 Jan 2018 18:52:52 GMT]]>@ipat8:

So I did this, and now both files are empty…..

pfSense doesn't empty them, it might overwrite them during an update but nothing more than that. So take the backup you made (you did backup these files before editing them, didn't you?) and try again.

]]>https://forum.netgate.com/post/745228https://forum.netgate.com/post/745228Wed, 10 Jan 2018 18:52:52 GMT<![CDATA[Reply to [Solved] need to add an upstream certificate for my FW. on Wed, 10 Jan 2018 18:46:43 GMT]]>@Grimson:

There are two places where cerificates are stored on pfSense:


/usr/local/etc/ssl/cert.pem
/usr/local/share/certs/ca-root-nss.crt

so try to add your cert to the list in /usr/local/etc/ssl/cert.pem too.

So I did this, and now both files are empty…..

]]>https://forum.netgate.com/post/745227https://forum.netgate.com/post/745227Wed, 10 Jan 2018 18:46:43 GMT<![CDATA[Reply to [Solved] need to add an upstream certificate for my FW. on Wed, 10 Jan 2018 18:30:05 GMT]]>There are two places where cerificates are stored on pfSense:


/usr/local/etc/ssl/cert.pem
/usr/local/share/certs/ca-root-nss.crt

so try to add your cert to the list in /usr/local/etc/ssl/cert.pem too.

]]>https://forum.netgate.com/post/745222https://forum.netgate.com/post/745222Wed, 10 Jan 2018 18:30:05 GMT